diff --git a/README.md b/README.md
index 41e75ac..8458095 100644
--- a/README.md
+++ b/README.md
@@ -85,6 +85,9 @@ Usage
 		'surpass' => $surpass
 			
 	]);
+	
+	
+*Note: method dir('dir_name') can no longer receive "/" and "." to protect from directory traversal attack.
 
 **Upload  (in View)**
 
diff --git a/src/Sukohi/Surpass/Surpass.php b/src/Sukohi/Surpass/Surpass.php
index dd15462..02f1792 100644
--- a/src/Sukohi/Surpass/Surpass.php
+++ b/src/Sukohi/Surpass/Surpass.php
@@ -50,7 +50,7 @@ public function path($path) {
 
     public function dir($dir) {
 
-        $this->_dir = $dir;
+        $this->_dir = str_replace(["\0", '/', '.'], '', $dir);
         $this->_id_hidden_name = self::ID_HIDDEN_NAME .'_'. $dir;
         return $this;